::puts on the BOFH hat::
Dec. 15th, 2005 01:32 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
jecook posting in ![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
techrecoveryDirect from the work order log. names changed to prevent me from losing my job. I just got a raise, and it would suck to lose that and more...
She has been very naughty, and she is losing her Local Administrator privledges, which I usually confer because frankly, I'm the odd duck who trusts their users to not install crap on their machines. Obviously, this gets abused.. ::sigh::
---
While reclaiming power adapter that was loaned out, I discovered the [luser] had non-company approved software installed on her computer, including Incredimail. This is not only NON-supported software, but I have removed it in the past from her machine and requested to her that she not use it, as there is not easy export method for it. Noticed unusual software on machine, which prompted me to kick it off the network. I then removed the system from her desk and brought it to my office for decomtamination, and forced re-building of a non-local Administrator profile.
Spyware found on system:
Powerscan (http://vil.nai.com/vil/content/v_124770.htm) (It ran on Startup when I logged in local Administrator to remove the rest of the Non approved software from the machine, and it was claiming to remove porn from the machine. I immediately powereed the system down and re-started from BartPE)
ISTBar (http://www.doxdesk.com/parasite/ISTbar.html , probably bundled with above, as the above uses this program to search your computer...)
Internet Optimizer (http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453076206)
NAVexcel (http://www.doxdesk.com/parasite/NavExcel.html)
YourSiteBar (http://securityresponse.symantec.com/avcenter/venc/data/adware.yoursitebar.html)
SideFind (http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453088285)
Along with many, many Tracking Cookies.
Running Mcafee scan. Will transfer profile and re-create user as Power User only in a new profile after scan is finished.
--
Also note: this luser is one of our HR people, so you _know_ there's sensitive information on the damn machine....
She has been very naughty, and she is losing her Local Administrator privledges, which I usually confer because frankly, I'm the odd duck who trusts their users to not install crap on their machines. Obviously, this gets abused.. ::sigh::
---
While reclaiming power adapter that was loaned out, I discovered the [luser] had non-company approved software installed on her computer, including Incredimail. This is not only NON-supported software, but I have removed it in the past from her machine and requested to her that she not use it, as there is not easy export method for it. Noticed unusual software on machine, which prompted me to kick it off the network. I then removed the system from her desk and brought it to my office for decomtamination, and forced re-building of a non-local Administrator profile.
Spyware found on system:
Powerscan (http://vil.nai.com/vil/content/v_124770.htm) (It ran on Startup when I logged in local Administrator to remove the rest of the Non approved software from the machine, and it was claiming to remove porn from the machine. I immediately powereed the system down and re-started from BartPE)
ISTBar (http://www.doxdesk.com/parasite/ISTbar.html , probably bundled with above, as the above uses this program to search your computer...)
Internet Optimizer (http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453076206)
NAVexcel (http://www.doxdesk.com/parasite/NavExcel.html)
YourSiteBar (http://securityresponse.symantec.com/avcenter/venc/data/adware.yoursitebar.html)
SideFind (http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453088285)
Along with many, many Tracking Cookies.
Running Mcafee scan. Will transfer profile and re-create user as Power User only in a new profile after scan is finished.
--
Also note: this luser is one of our HR people, so you _know_ there's sensitive information on the damn machine....
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2005-12-15 09:06 pm (UTC)Care to guess how much spyware we find on a daily basis?? Had one the other day with no less than 11 different keyloggers installed.
So it brings me to fits of laughter when there's a big story about identity theft, and all these CEOs and CIOs are wringing their hands and saying "we're doing all we can to protect your information..."
no subject
Date: 2005-12-15 09:35 pm (UTC)no subject
Date: 2005-12-15 10:40 pm (UTC)no subject
Date: 2005-12-15 10:58 pm (UTC)Riiiiight....
no subject
Date: 2005-12-15 11:28 pm (UTC)no subject
Date: 2005-12-15 11:57 pm (UTC)Set her at user.
Folks at my office who do things like that get volunteered to be in pilot groups (;
no subject
Date: 2005-12-16 02:04 am (UTC)no subject
Date: 2005-12-16 05:25 am (UTC)no subject
Date: 2005-12-16 05:33 am (UTC)It won't let her do certain things like change network settings, or install software, which is why we made the change.
no subject
Date: 2005-12-16 12:16 pm (UTC)no subject
Date: 2005-12-16 06:02 pm (UTC)no subject
Date: 2005-12-18 02:54 am (UTC)She's a malware-magnet - you've established this. Even without software install privs, a power user is still able to write to the HKLM and HKCR hives - meaning that all the web-borne malware she's clicking on will be able to install. It doesn't ask nicely or use the Windows Installer service that she is restricted from.
(Yes, I'm aware that technically, HKCR is a sub-hive of HKLM now, but most aren't.)